Micro Focus Security ArcSight

Connectors
SmartConnector for Apache HTTP
Server Error File

Configuration Guide

June, 2018
Configuration Guide

SmartConnector for Apache HTTP Server Error File

June, 2018

Copyright © 2003 – 2017; 2018 Micro Focus and its affiliates and licensors.

Warranty

The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro
Focus”) are set forth in the express warranty statements accompanying such products and services.
Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be
liable for technical or editorial errors or omissions contained herein. The information contained herein
is subject to change without notice.

Restricted Rights Legend

Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro
Focus is required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial
Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are
licensed to the U.S. Government under vendor's standard commercial license.

Trademark Notices

Adobe™ is a trademark of Adobe Systems Incorporated. Microsoft® and Windows® are U.S. registered
trademarks of Microsoft Corporation. UNIX® is a registered trademark of The Open Group.

Revision History
Date Description
10/17/2017 Added encryption parameters to Global Parameters.
11/30/2016 Updated installation procedure for setting preferred IP address mode.
08/14/2015 Updated versions supported.
06/30/2012 Added support for version 2.4. Added and updated mappings.
05/15/2012 Added new installation procedure.
09/30/2011 Updated Log File Name parameter description.
02/11/2010 Added support for FIPS Suite B and CEF File transport.
06/30/2009 Global update to installation procedure for FIPS support.
11/12/2008 Updated configuration guide name.
09/25/2008 Added image of installation parameter screen.
03/01/2008 Update to installation procedure.
09/20/2007 General content update; correction to error log path.
 Configuration Guide

SmartConnector for Apache HTTP Server Error File

This guide provides information for installing the SmartConnector for Apache HTTP Server Error
File and configuring the device for event collection. This SmartConnector is supported on AIX,
Linux, and Solaris platforms. Apache HTTP Server versions 1.3 and 2.4 are supported.

Product Overview
The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP
server for modern operating systems including UNIX and Windows NT. Apache is a secure,
efficient, and extensible server that provides HTTP services in sync with the current HTTP
standards.

The Apache HTTP server error log (whose name and location is set by the ErrorLog directive), is
the most important log file. This is where the Apache server sends diagnostic information and
records any errors it encounters when processing requests. It is the first place to look when a
problem occurs with starting the server or with the operation of the server, because it will often
contain details of what went wrong and how to fix it. (See the Apache HTTP Server
documentation for more information.)

Configuring Apache HTTP Server for Event Collection

To configure the Apache HTTP Server SmartConnector:

1 Make sure that you are using Apache's default log formats.

The SmartConnector for Apache HTTP Server Error Log uses only four Apache default log
formats. The default formats must appear in Apache's configuration file,
/etc/apache/httpd.conf, as the following:

ErrorLog "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"

\"%{User-Agent}i\" %T %v" full
ErrorLog "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\" %P %T" debug
ErrorLog "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\"" combined
ErrorLog "%h %l %u %t \"%r\" %>s %b" common

2 In Apache's configuration file, /etc/apache/httpd.conf, change the following line to:

customlog /var/log/apache/error.log<log file>

where <log file> is one of the following: full, debug, combined, or common.

Micro Focus Security ArcSight Connectors 3

SmartConnector for Apache HTTP Server Error File

Install the SmartConnector

The following sections provide instructions for installing and configuring your selected
SmartConnector.

Prepare to Install Connector

Before you install any SmartConnectors, make sure that the ArcSight products with which the
connectors will communicate have already been installed correctly (such as ArcSight ESM or
ArcSight Logger).

For complete product information, read the Administrator's Guide as well as the Installation and
Configuration guide for your ArcSight product before installing a new SmartConnector. If you are
adding a connector to the ArcSight Management Center, see the ArcSight Management Center
Administrator's Guide for instructions, and start the installation procedure at "Set Global
Parameters (optional)" or "Select Connector and Add Parameter Information."

Before installing the SmartConnector, be sure the following are available:

 Local access to the machine where the SmartConnector is to be installed

 Administrator passwords

Install Core Software

Unless specified otherwise at the beginning of this guide, this SmartConnector can be installed on
all ArcSight supported platforms; for the complete list, see the SmartConnector Product and
Platform Support document, available from the Micro Focus SSO and Protect 724 sites.

1 Download the SmartConnector executable for your operating system from the Micro Focus
SSO site.

2 Start the SmartConnector installation and configuration wizard by running the executable.

Follow the wizard through the following folder selection tasks and installation of the core
connector software:

Introduction
Choose Install Folder
Choose Shortcut Folder
Pre-Installation Summary
Installing...

3 When the installation of SmartConnector core component software is finished, the following
window is displayed:

4 Micro Focus Security ArcSight Connectors

 Configuration Guide

Set Global Parameters (optional)

If you choose to perform any of the operations shown in the following table, do so before adding
your connector. You can set the following parameters:

Parameter Setting
FIPS mode Select 'Enabled' to enable FIPS compliant mode. To enable FIPS Suite B Mode, see the
SmartConnector User Guide under "Modifying Connector Parameters" for instructions. Initially, this
value is set to 'Disabled'.
Remote Management Select 'Enabled' to enable remote management from ArcSight Management Center. When queried
by the remote management device, the values you specify here for enabling remote management
and the port number will be used. Initially, this value is set to 'Disabled'.
Remote Management The remote management device will listen to the port specified in this field. The default port
Listener Port number is 9001.
Preferred IP Version When both IPv4 and IPv6 IP addresses are available for the local host (the machine on which the
connector is installed), you can choose which version is preferred. Otherwise, you will see only one
selection. The initial setting is IPv4.

The following parameters should be configured only if you are using Micro Focus SecureData
solutions to provide encryption. See the Micro Focus SecureData Architecture Guide for more
information.

Parameter Setting
Format Preserving Data leaving the connector machine to a specified destination can be encrypted by selecting ‘Enabled’ to
Encryption encrypt the fields identified in ‘Event Fields to Encrypt' before forwarding events. If encryption is enabled,
it cannot be disabled. Changing any of the encryption parameters again will require a fresh installation of
the connector.
Format Preserving Enter the URL where the Micro Focus SecureData Server is installed.
Policy URL
Proxy Server (https) Enter the proxy host for https connection if any proxy is enabled for this machine.

Micro Focus Security ArcSight Connectors 5

SmartConnector for Apache HTTP Server Error File

Parameter Setting
Proxy Port Enter the proxy port for https connection if any proxy is enabled for this machine.
Format Preserving The Micro Focus SecureData client software allows client applications to protect and access data based
Identity on key names. This key name is referred to as the identity. Enter the user identity configured for Micro
Focus SecureData.
Format Preserving Enter the secret configured for Micro Focus SecureData to use for encryption.
Secret
Event Fields to Encrypt Recommended fields for encryption are listed; delete any fields you do not want encrypted and add any
string or numeric fields you want encrypted. Encrypting more fields can affect performance, with 20 fields
being the maximum recommended. Also, because encryption changes the value, rules or categorization
could also be affected. Once encryption is enabled, the list of event fields cannot be edited.

After making your selections, click Next. A summary screen is displayed. Review the summary of
your selections and click Next. Click Continue to return to proceed with "Add a Connector" window.
Continue the installation procedure with "Select Connector and Add Parameter Information."

Select Connector and Add Parameter Information

1 Select Add a Connector and click Next. If applicable, you can enable FIPS mode and enable
remote management later in the wizard after SmartConnector configuration.

2 Select Apache HTTP Server Error File and click Next.

3 Enter the required SmartConnector parameters to configure the SmartConnector, then click
Next.

6 Micro Focus Security ArcSight Connectors

 Configuration Guide

Parameter Description
Apache Error Log File Name The absolute path to the location of the log files (such as the default
/var/log/apache/error.log).

Prior to installing the Apache HTTP SmartConnector, make sure the Apache HTTP Server is
configured to use Apache default log formats. The default formats must appear in Apache's
configuration file, /etc/apache/httpd.conf. Make sure these logs are not rotated by
Apache.

Select a Destination
1 The next window asks for the destination type; select a destination and click Next. For
information about the destinations listed, see the ArcSight SmartConnector User Guide.

2 Enter values for the destination. For the ArcSight Manager destination, the values you enter
for User and Password should be the same ArcSight user name and password you created
during the ArcSight Manager installation. Click Next.

3 Enter a name for the SmartConnector and provide other information identifying the
connector's use in your environment. Click Next. The connector starts the registration
process.

4 If you have selected ArcSight Manager as the destination, the certificate import window for
the ArcSight Manager is displayed. Select Import the certificate to the connector from
destination and click Next. (If you select Do not import the certificate to connector from
destination, the connector installation will end.) The certificate is imported and the Add
connector Summary window is displayed.

Complete Installation and Configuration

1 Review the Add Connector Summary and click Next. If the summary is incorrect, click
Previous to make changes.

2 The wizard now prompts you to choose whether you want to run the SmartConnector as a
stand-alone process or as a service. If you choose to run the connector as a stand-alone
process, select Leave as a standalone application, click Next, and continue with step 5.

3 If you chose to run the connector as a service, with Install as a service selected, click Next. The
wizard prompts you to define service parameters. Enter values for Service Internal Name and
Service Display Name and select Yes or No for Start the service automatically. The Install
Service Summary window is displayed when you click Next.

4 Click Next on the summary window.

5 To complete the installation, choose Exit and Click Next.

For instructions about upgrading the connector or modifying parameters, see the SmartConnector
User Guide.

Micro Focus Security ArcSight Connectors 7

SmartConnector for Apache HTTP Server Error File

Run the SmartConnector

SmartConnectors can be installed and run in stand-alone mode, on Windows platforms as a
Windows service, or on UNIX platforms as a UNIX daemon, depending upon the platform
supported. On Windows platforms, SmartConnectors also can be run using shortcuts and optional
Start menu entries.

If the connector is installed in stand-alone mode, it must be started manually and is not
automatically active when a host is restarted. If installed as a service or daemon, the connector
runs automatically when the host is restarted. For information about connectors running as
services or daemons, see the ArcSight SmartConnector User Guide.

To run all SmartConnectors installed in stand-alone mode on a particular host, open a command
window, go to $ARCSIGHT_HOME\current\bin and run: arcsight connectors

To view the SmartConnector log, read the file

$ARCSIGHT_HOME\current\logs\agent.log; to stop all SmartConnectors, enter
Ctrl+C in the command window.

Device Event Mapping to ArcSight Fields

The following section lists the mappings of ArcSight data fields to the device's specific event
definitions. See the ArcSight Console User's Guide for more information about the ArcSight data
fields.

Apache HTTP Server Error Log Mappings to ArcSight ESM Fields

ArcSight ESM Field Device-Specific Field
Additional data pid
Additional data signal
Application Protocol 'http'
ArcSight Severity - High error
ArcSight Severity - Low notice, info, or debug
ArcSight Severity - Medium warn
ArcSight Severity - Very High emert, alert, or crit
Destination Process Name 'apache'
Device Action action taken by the device
Device Custom Date 1 Server Built Time
Device Custom Number 3 ThreadId
Device Custom String 2 Host OS
Device Custom String 5 Mutex
Device Event Class ID Message
Device Process ID ProcessId
Device Process Name One of (Module, "apache")
Device Product 'apache'
Device Receipt Time ParserMultipletimestamp(Date,"EEE MMM dd HH:mm:ss yyyy","EEE MMM dd
HH:mm:ss.SSS yyyy")

8 Micro Focus Security ArcSight Connectors

 Configuration Guide

ArcSight ESM Field Device-Specific Field

Device Severity Severity
Device Vendor 'Apache'
File Name File name
Name Message
Source Address Source address
Target User ID user
Target Web URL URL
Transport Protocol 'TCP'

Micro Focus Security ArcSight Connectors 9